An allegory for computer security. You have lived all your life in a quickly growing town, whose growth has been sped up by constructing all the buildings out of wood. Some buildings in town are huge structures that have been repeatedly expanded with new wings and towers; others are simple shacks that are put up … Continue reading The Wooden Firehouse
You will be asked to implement specifications that are unclear or contradictory. You will be evaluated anyway on whether you implemented the right specification. You will be asked the wrong questions. Still, you will have to answer the right question. You will need judgment and creativity to succeed.
The recent Meltdown and Spectre attacks have exposed, or at least emphasized, a fundamental problem with the conventional approach to computer security at the hardware level. Both of these attacks rely on side channels in conventional processor designs. By exploiting these side channels, an untrusted program can learn the contents of the operating system kernel's memory or … Continue reading Meltdown, Spectre, and why hardware can be correct yet insecure
The hash table is a wonderful data structure. Unfortunately no one wraps it in the right abstraction. Typically, hash table implementations do some hashing internally, which is insufficient unless you're hashing pointers, and wastes time if you're already providing a good hash function. But how do you know if your hash function is good enough? … Continue reading A pet peeve about hash tables
I've done a fair amount of work on persistent object systems, starting with the Thor distributed storage system and more recently, the Fabric system. I used to think the point of persistent object systems was to make programming easier. Lately I think security might be an even stronger argument. For programmers, the great thing about persistent … Continue reading Deserialization considered harmful: the security case for persistent objects
I just inadvertently ran a poorly controlled experiment on the relative virtues of these three programming languages, at least for the job of writing compilers. Despite the nonexistent experimental protocol, I thought the results were pretty interesting—even if they may irritate some of my PL colleagues. In my compilers course at Cornell (CS 4120), I let the … Continue reading Java vs. OCaml vs. Scala
There has been much nice work lately on proving that complex software is written correctly, including components like operating systems, compilers. But it's hard to see how to scale these heroic efforts to the vast amount of software that is being written every day. It's simply too hard to build software that is correct and secure. … Continue reading Limits of Heroism
I've been interested in voting methods (algorithms for deciding who wins an election) for some time. The standard voting method (plurality) has long been criticized for being subject to vote splitting and other anomalies that cause the results of an election not to correctly represent the consensus opinion of the electorate. From the polling, the problems … Continue reading Strategic voting and the Republican primary
Current computer systems are built in layers. The hardware increasingly has features to support security. Then a hypervisor/VMM is wrapped around the hardware. A guest OS runs on top of the hypervisor. Complex libraries use the OS. And finally the application sits on top of this whole stack. The current approach to building secure systems … Continue reading Attack in depth
The dream of building provably correct software seems to be coming closer to reality. It is very cool to see all the recent work on the systems community on building provably correct systems components. At the same time, I'm worried that the training of software developers actually involves less formal logic compared to a generation ago. … Continue reading The logic deficit
Bad people can make your computer do the wrong things and tell the bad people about stuff they are not supposed to know. People try to make computers that only do the right things. But it is hard to tell a computer what it should do because you have to think of all the mean … Continue reading What I do
